Browser doesn't display CAPTCHA validation form in explicit proxy deployment

book

Article ID: 169031

calendar_today

Updated On:

Products

Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

When the ProxySG appliance is in an explicit proxy deployment and CAPTCHA validation policy is installed, the browser does not present the CAPTCHA validation form to users. In some cases, the browser displays an error message.

Note: CAPTCHA policy was introduced in SGOS 6.6.4. Refer to the SGOS Administration Guide and the Content Policy Language Reference for details.

Cause

When the proxy opens HTTPS connections, browsers configured for explicit proxy send a CONNECT message. The message contains the origin content server (OCS) hostname and informs the proxy that the client is about to open a tunnel to that host. What happens next depends on the authentication mode specified in policy:
  • If form-cookie mode is in use (or when no authentication mode is specified), the proxy does not return a redirect. The browser does not present the CAPTCHA form, and users cannot complete validation. 
  • If form-cookie-redirect is in use, the proxy returns a redirect; however, browsers do not follow redirects sent in response to a CONNECT message. The browser displays an error message, and users cannot complete validation.
Note: Because CONNECT messages are meant for the proxy and not the OCS, they do not contain cookies.

Resolution

Intercept SSL connections and bypass CAPTCHA validation for HTTP CONNECT messages. Validation is thus performed on the first HTTP request that is sent inside the tunnel. Refer to the following example:
 
; intercept SSL traffic using the HTTPS forward proxy
<SSL-Intercept>
  ssl.forward_proxy(https)

; if request is not HTTP CONNECT tunneled and URL category is shopping,
; connect using the specified validator
<Proxy>
  http.connect=no category=("shopping") validate(captcha_1)